Tumblr Apple apps sent clear text passwords

There’s something to be said for getting the basics right and this is a timely reminder.

Tumblr has issued a patch for its iOS iPhone and iPad applications after a user discovered it sent passwords in clear text. The gaffe, first reported by The Register, was discovered by a security professional during an audit of iOS applications for an organisation.

He went public with the flaw after claiming Tumblr’s support team failed to respond to his private disclosure. Because the apps failed to make use of Secure Sockets Layer, users could for example have their accounts compromised when logging in over public wireless networks.

Tumblr product vice president Derek Gottfrid urged users to apply the “very important update” released today and change passwords if they had used the iOS apps.

“If you’ve been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password,” Gottfrid said in a statement. “It’s also good practice to use different passwords across different services by using an app like 1Password or LastPass.” He said Tumblr was “tremendously sorry” for the flaw.

Adrian’s Note:
In the midst of the range of identity management products we may deploy and spend effort and money to integrate with, there are some security fundamentals we still need to apply:
– Secure coding standards and guidelines.
– Check that we use secure protocols.
– Think things through and have appropriate security design.


Leave a Reply